class UsersController < ApplicationController
  
  # Protect these actions behind an admin login
  before_filter :admin_required, :only => [:suspend, :unsuspend, :undelete, :delete, :purge]
  before_filter :find_user, :only => [:show, :edit, :update, :suspend, :unsuspend, :delete, :undelete, :purge]
  # TODO: Really implement roles instead of faking it...
  before_filter :owner_required, :only => [:edit, :update, :destroy]

  def index
    # TODO: Some sort of user listing index
  end
  
  def show
    # TODO: Show user profile for home
  end

  def edit
    # TODO: Disallow username change, and email confirmation on email change...
    @page_title = "Spendy! Edit Account"
    respond_to do |format|
      format.html # new.html.erb
      format.xml  { head :ok }
      format.iphone do # new.iphone.erb
        @panel_title = @page_title
        render :layout => false
      end
    end
  end

  def update
    # TODO: Profile update action for user
  end

  def destroy
    # TODO: Implement some kind of user-triggered destroy (hidden=1?)
  end

  def new
    @user = User.new
    @page_title = "Spendy! Sign Up"
    respond_to do |format|
      format.html # new.html.erb
      format.xml  { head :ok }
      format.iphone do # new.iphone.erb
        @panel_title = @page_title
        render :layout => false
      end
    end
  end

  def create
    cookies.delete :auth_token
    # Protects against session fixation attacks, wreaks havoc with request forgery protection. Uncomment at your own risk
    # reset_session
    @user = User.new(params[:user])
    if @user.valid? && @user.errors.empty? && @user.save
      @user.register!
      @user.notify!
      self.current_user = @user
      flash[:notice] = "Thanks for signing up!  Please check your email for activation instructions."
      redirect_to :controller => "sessions", :action => "new"
    else
      flash[:warning] = "Please correct the errors below and make your submission again."
      render :action => 'new'
    end
  end

  def activate
    # TODO: self?
    self.current_user = params[:id].blank? ? :false : User.find_by_activation_code(params[:id])
    if current_user.notified? && current_user.has_activation_code?
      current_user.activate!
      flash[:notice] = "Signup complete!"
      redirect_to :controller => "welcome", :action => "home"
    else
      flash[:warning] = "Unable to activate an account with the activation key provided."
      redirect_to :controller => "sessions", :action => "new"
    end
  end

  def suspend
    @user.suspend! 
    redirect_to users_path
  end

  def unsuspend
    @user.unsuspend! 
    redirect_to users_path
  end

  def delete
    @user.delete!
    redirect_to users_path
  end

  def undelete
    @user.delete!
    redirect_to users_path
  end

  def purge
    @user.destroy
    redirect_to users_path
  end

protected
  def find_user
    @user = User.find(params[:id])
  end

  # TODO: Really implement roles instead of faking it...
  def owner_required
    if current_user != @user
      flash[:warning] = "You must be logged in as the account you are trying to modify or an Administrator to perform that operation."
      redirect_to :controller => "sessions", :action => "new"
    end
  end

end
